Fix heap-use-after-free in Parser error handling

Fixes #2643
sass · Nov 23, 2018 · 930857c · 930857c
1 parent 122d9f3
commit 930857c
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 5 deletions.
diff --git a/src/error_handling.cpp b/src/error_handling.cpp
@@ -15,8 +15,8 @@ namespace Sass {
  prefix("Error"), pstate(pstate), traces(traces)
  { }
 
- InvalidSass::InvalidSass(ParserState pstate, Backtraces traces, std::string msg)
- : Base(pstate, msg, traces)
+ InvalidSass::InvalidSass(ParserState pstate, Backtraces traces, std::string msg, char* owned_src)
+ : Base(pstate, msg, traces), owned_src(owned_src)
  { }
 
 

diff --git a/src/error_handling.hpp b/src/error_handling.hpp
@@ -37,8 +37,9 @@ namespace Sass {
 
  class InvalidSass : public Base {
  public:
- InvalidSass(ParserState pstate, Backtraces traces, std::string msg);
- virtual ~InvalidSass() throw() {};
+ InvalidSass(ParserState pstate, Backtraces traces, std::string msg, char* owned_src = nullptr);
+ virtual ~InvalidSass() throw() { sass_free_memory(owned_src); };
+ char *owned_src;
  };
 
  class InvalidParent : public Base {

diff --git a/src/parser.cpp b/src/parser.cpp
@@ -3054,8 +3054,11 @@ namespace Sass {
  {
  Position p(pos.line ? pos : before_token);
  ParserState pstate(path, source, p, Offset(0, 0));
+ // `pstate.src` may not outlive stack unwind so we must copy it.
+ char *src_copy = sass_copy_c_string(pstate.src);
+ pstate.src = src_copy;
  traces.push_back(Backtrace(pstate));
- throw Exception::InvalidSass(pstate, traces, msg);
+ throw Exception::InvalidSass(pstate, traces, msg, src_copy);
  }
 
  void Parser::error(std::string msg)